Sourcefire VRT Rules Update

Date: 2011-06-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.8.6.1.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:19172 <-> ENABLED <-> NETBIOS Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (netbios.rules)
 * 1:19167 <-> ENABLED <-> SPECIFIC-THREATS Digium Asterisk UDPTL processing overflow attempt (specific-threats.rules)
 * 1:19170 <-> ENABLED <-> SPECIFIC-THREATS Microsoft .NET Framework XAML browser applications stack corruption (specific-threats.rules)
 * 1:19171 <-> ENABLED <-> WEB-CLIENT Microsoft Internet Explorer 8 ieshims.dll dll-load exploit attempt (web-client.rules)
 * 1:19164 <-> ENABLED <-> BOTNET-CNC Trojan SpyEye outbound connection (botnet-cnc.rules)
 * 1:19162 <-> ENABLED <-> ORACLE get_domain_index_metadata privilege escalation attempt (oracle.rules)
 * 1:19165 <-> ENABLED <-> BLACKLIST USER-AGENT known malicious user-agent string Microsoft Internet Explorer (blacklist.rules)
 * 1:19169 <-> ENABLED <-> WEB-CLIENT RealPlayer vidplin.dll avi header parsing execution attempt (web-client.rules)
 * 1:19166 <-> DISABLED <-> POLICY Microsoft Excel file download (policy.rules)
 * 1:19174 <-> ENABLED <-> WEB-CLIENT Windows Vista feed headlines cross-site scripting attack attempt (web-client.rules)
 * 1:19163 <-> ENABLED <-> ORACLE get_v2_domain_index_tables privilege escalation attempt (oracle.rules)
 * 1:19168 <-> ENABLED <-> WEB-MISC Oracle GoldenGate Veridata Server soap request overflow attempt (web-misc.rules)
 * 1:19173 <-> ENABLED <-> RPC CDE Calendar Manager service memory corruption attempt (rpc.rules)

Modified Rules:


 * 1:17509 <-> ENABLED <-> WEB-MISC Microsoft .NET Manifest download attempt (web-misc.rules)
 * 1:17510 <-> ENABLED <-> WEB-MISC Microsoft .NET Deploy download attempt (web-misc.rules)
 * 1:18996 <-> ENABLED <-> ORACLE DBMS_JAVA.SET_OUTPUT_TO_JAVA privilege escalation attempt (oracle.rules)
 * 1:19136 <-> ENABLED <-> EXPLOIT CA XOsoft Multiple Products entry_point.aspx buffer overflow attempt (exploit.rules)
 * 3:16377 <-> ENABLED <-> EXPLOIT Internet Explorer DOM mergeAttributes memory corruption attempt (exploit.rules)